Summary: | app-office/openoffice <2.0.3 - multiple vulnerabilities (CVE-2006-2199, CVE-2006-2198, CVE-2006-3117) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | ChazeFroy <chazefroy> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | bugs, eselect, jakuhrlinux, jesus.de.santos, jon, maekke, office, rockoo, sgtphou, siryes |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Other | ||
URL: | http://www.openoffice.org/security/bulletin-20060629.html | ||
Whiteboard: | A2 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
ChazeFroy
2006-06-29 21:34:39 UTC
Youi left out the most important part from the release notes.. We also recommend OpenOffice.org 2.0.3 because it includes important security fixes. These have not been exploited but all users of any prior version of OpenOffice.org are urged to download 2.0.3. A standalone patch will be available soon. http://www.openoffice.org/security/bulletin-20060629.html Security Bulletin 2006-06-29 OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor's patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly. The three vulnerabilities involve: * Java Applets, CVE-2006-2199 * Macro, CVE-2006-2198; and * File Format, CVE-2006-3117 *** Bug 138546 has been marked as a duplicate of this bug. *** *** Bug 138547 has been marked as a duplicate of this bug. *** *** Bug 138567 has been marked as a duplicate of this bug. *** cc maintainers openoffice please provide updated ebuilds. And 2.0.3 is supposed to work out-of-the box as native amd64! I want ;) Just got back from GUADEC, so give me some time to get back on speed. Anyway, openoffice-bin should be done soon, source-built version could take a little longer, as ooo-build didn't provide a release until now (though there is one for RC7 which I could maybe use, didn't check until now). New version of openoffice-bin and openoffice are in now, please test accordingly Thx Andreas. Arches please test and mark stable. This will also cause eselect-1.0.2 to go stable. Might want to verify with those folks that they are ready for it. Stable on ppc. (In reply to comment #12) > This will also cause eselect-1.0.2 to go stable. Might want to verify with > those folks that they are ready for it. > And also: eselect-oodict and all the myspell dictionaries, otherwise the users won't have the possibility to spell check anymore. Both should be straightforward though. CC'ing eselect. SPARC is ready to go stable once we hear from the eselect folks. eselect and oodict don't work on AMD64, so openoffice-bin and a multilib install on AMD64 don't have spellcheck, and this prevents me from using openoffice-bin 2.0.3 (In reply to comment #17) > eselect and oodict don't work on AMD64, so openoffice-bin and a multilib > install on AMD64 don't have spellcheck, and this prevents me from using > openoffice-bin 2.0.3 > That has already been fixed yesterday, do an emerge sync and try again Eselect team is fine with stabling 1.0.2. 1.0.3 is no option as it's still in p.mask due to one unported module. sparc stable. @x86, AMD-64-herd: At least openoffice-bin should be trivial to mark stable, so any hope in getting this done soonish? Hmm, obviously both amd64 and x86-herds were never added, done this now. btw, as the title does not point this out: This security issues affects both openoffice and openoffice-bin 1) -bin emerges fine 2) QA: there are a lot of textrels...should I post the log? 3) tested some functions in writer, impress and calc (import of MS documents e.g.) -> works Sorry no time to test the normal build...am leaving for the weekend soon. (In reply to comment #23) > 2) QA: there are a lot of textrels...should I post the log? No, those are known. But as we use the upstream binary, there is nothing we can do about it anyway amd64 stable (In reply to comment #8) > And 2.0.3 is supposed to work out-of-the box as native amd64! > I want ;) > regarding to this comment i didn't tried to build from source afaik it doesn't work. But for somehow it works please cc amd64 team or me so we can start testing it and keyword. Thanks I tried building it on x86 (with USE="firefox"), but it failed because dev-libs/nspr-4.6.2 is needed (stable version is 4.6.1-r2). See bug #139453. x86 here. After several hours compiling it works fine with this options: [ebuild R ] app-office/openoffice-2.0.3 USE="eds gnome gtk pam xml -binfilter -cairo -debug -firefox -java -kde -ldap -mono -odk" LINGUAS="-af -ar -be_BY -bg -bn -bs -ca -cs -cy -da -de -el -en -en_GB -en_US -en_ZA -es -et -fa -fi -fr -gu_IN -he -hi_IN -hr -hu -it -ja -km -ko -lt -mk -nb -nl -nn -nr -ns -pa_IN -pl -pt -pt_BR -ru -rw -sh_YU -sk -sl -sr_CS -st -sv -sw_TZ -th -tn -tr -ts -vi -xh -zh_CN -zh_TW -zu" 0 kB I have tested each module (write, presentation...) x86 is done after many hours of compiling :(
>^.^<
I've removed the vulnerable versions now from the tree, so I think we should be fine for the GLSA Reopening as this is really not fixed until this is issued Updated in the 2006.1 snapshot, so I'm removing release@gentoo.org So what is keeping the GLSA from being issued? Just returning from vacation, I'll look into it tomorrow. GLSA 200607-12 Finally. Thanks everybody! |